Releases: Unitech/pm2
Releases · Unitech/pm2
Release list
v7.0.3
v7.0.2
7.0.2
Bug Fixes
- Fix
pm2 servereturning 403 Forbidden on Windows — traversal guard used hardcoded/separator #6109 - Fix
pm2 lstable misalignment when a username exceeds theusercolumn width — cli-tableau'struncate()miscounts ANSI bytes, leaking bold into thewatchingcolumn - Fix long status lines (e.g.
Applying action … on app […]) wrapping on narrow terminals —Common.printOutnow ANSI-aware crops single-line TTY output to terminal width (piped output unaffected)
Features
pm2 lshost-metrics line now shown by defaultpm2 update)pm2 lsadaptive layout: picks the widest layout that fits the terminal — full → condensed → new ultra-compactmini(id · name · status · cpu · mem) — and caps thenamecolumn so long names can't overflow the tablepm2 lshost-metrics line only lists network interfaces carrying traffic (hides idle utun/awdl/bridge/anpi/unused en*)pm2 lshost-metrics line: replacedmem freewithram usage(%), added GPU memory/temperature when reported, per-interface network errors/drops shown when non-zero
Core Refactor
- Drop old vizion module, refactor to support only git and drop 3 submodules
- Replace the bundled
pm2-sysmonitmodule andsysteminformationwithlib/tools/SysMetrics.js(Linux/macOS);pm2 slist/getSystemDataand the Docker metrics path now read this collector. Covered bytest/programmatic/sysmetrics.mocha.js
Security
- Bump
js-yaml4.1.1 → 4.3.0 — fixes quadratic-complexity DoS in merge-key handling (GHSA-h67p-54hq-rp68) #6122 - Bump
ws8.20.0 → 8.21.0 — fixes uninitialized-memory disclosure and tiny-fragment DoS (GHSA-58qx-3vcg-4xpx, GHSA-96hv-2xvq-fx4p) #6116 - Bump
@pm2/js-api0.8.0 → 0.8.1, pulling in patchedws@8.21.0(its transitivewswas pinned to the vulnerable 7.x). Production deps are now advisory-free (npm audit --omit=devclean)
v7.0.1
7.0.1
Bug Fixes
- Fix Python (and other non-Node) interpreter regression on Ubuntu: bun runtime detection used a naive
includes('bun')substring check that matched any path containing the letters "bun" — most notably/home/ubuntu/.... Affected paths were routed throughProcessContainerForkBun.jsand crashed withSyntaxError: unterminated string literalwhen Python tried to parse the JS container. Anchored the match to the end of the interpreter path (=== 'bun'or/bun$/) in bothlib/God/ForkMode.jsandlib/Common.js#5990 - Display
max_memory_restartinpm2 describeoutput when set #5925 - Add missing
portoption toStartOptionsTypeScript declaration #6045 - Fix incorrect file permissions on
openrc.tpltemplate (0755 → 0644) #5957 - Fix Windows cmd.exe regression: revert
bin/pm2*launchers to#!/usr/bin/env nodeshebang (was polyglot#!/bin/sh). Polyglot worked on Linux/macOS but broke npm'spm2.cmdshim on Windows —cmd.execan't interpret/bin/shshebang and failed with'"/bin/sh"' is not recognized as an internal or external command. PowerShell's auto-generatedpm2.ps1shim happened to callnodedirectly so it kept working, masking the regression. Bun-only Linux/macOS users (no Node installed) need to symlinknodetobun(sudo ln -s $(which bun) /usr/local/bin/node) — same workaround used in the project's bun test Dockerfile. Documented in README #6108
v7.0.0
7.0.0
Breaking Changes
- Require Node.js >= 18.0.0 (dropped Node.js 16 support)
Core Refactor
- Internalize pm2-axon, pm2-axon-rpc, pm2-io-bpm, pm2-io-agent, fclone as local modules (reduced supply chain surface)
- Internalize pm2-multimeter and charm into lib/tools/multimeter (zero external deps)
- Add Bun runtime support (ProcessContainerBun.js, ProcessContainerForkBun.js)
- Replace
needlewith nativefetch(CliAuth, TAR publish) - Replace
enquirerwith lightweight built-in prompt (boilerplate selector) - Replace
promptlywith built-in lib/tools/prompt - Replace
mkdirpwith nativefs.mkdirSync({ recursive: true }) - Replace
source-map-supportwith nativeprocess.setSourceMapsEnabled() - Replace
sprintf-jswith template literals (Dashboard) - Replace
url.parse()with nativeURLconstructor (Serve, Utility, CliAuth) - Remove
fclonenpm dep, use internalized module - Drop auto source map file detection in Common.prepareAppConf
Security
- CVE-2025-5891 Fix ReDoS in Config.js string-to-array split regex #6075
- CVE-2026-27699 Update proxy-agent to 6.5.0, basic-ftp to 5.3.1 #6088
- Fix command injection in WebAuth.js open() — replace exec() with execFile() #6089
- Fix command injection in PM2IO.js open() — replace exec() with execFile(), validate SUDO_USER
- Fix command injection in lib/tools/open.js — replace exec() with execFile(), validate SUDO_USER
- Fix prototype pollution in Configuration.set/unset via proto key traversal #6089
- Fix HttpInterface env stripping never executing (WEB_STRIP_ENV_VARS) #6089
Bug Fixes
- Rewrite TreeKill: single ps snapshot + in-memory tree build, eliminates race conditions. SIGKILL escalation now targets surviving child processes directly instead of re-walking a dead tree #6084
- Fix [object Object] env vars leaked to fork mode subprocesses #6073
- Fix Windows home path: use os.homedir() instead of HOMEPATH/HOMEDRIVE env vars #6106
- Fix Windows TreeKill callback consistency
- Fix missing BPM monitoring injection in Bun cluster mode (ProcessContainerBun.js)
- Fix ReferenceError crash in Bun cluster console overrides when disable_logs is true
- Fix CliAuth wrong credentials error displaying "undefined" instead of error message
Features
- Add
--ftpoption topm2 servefor directory listing (python http.server style)
Dependencies
- Add OpenTelemetry tracing as direct dependencies (@opentelemetry/api, sdk-node, auto-instrumentations-node)
- Upgrade OpenTelemetry packages to latest
- Update pidusage from 3.0.2 to 4.0.1
- Upgrade ws to ^8.18.0, eventemitter2 to ^6.4.9
- Remove needle, enquirer, promptly, mkdirp, source-map-support, sprintf-js, fclone from npm dependencies
Testing
- Add Docker parallel test runner with Node.js and Bun support
- Add Windows test suite (test/windows.sh)
- Add OpenTelemetry tracing tests
- Add TreeKill unit tests
- Add test scripts for internalized modules (bpm, axon, axon-rpc, io-agent)
- Fix test compatibility for Node.js 22+ and Bun
- CI matrix: Node.js 18, 20 + latest